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We introduce new sophisticated attacks with a Hong-Ou-Mandel interferometer against quantum 
key distribution (QKD) and propose a new QKD protocol grafted with random basis shuffling 
to block up those attacks. When the polarization basis is randomly and independently shuffled 
by sender and receiver, the new protocol can overcome the attacks even for not-so-weak coherent 
pulses. We estimate the number of photons to guarantee the security of the protocol. 
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A cryptography based on quantum mechanics has re- 
ceived much attention since the seminal works on quan- 
tum key distribution (QKD) by Bennett and Brassard 
(BB84) 11 and Ekert (2|. Up to now^ various QKD 
protocols have been proposed H, S IE S S and ex- 
perimentally realized |flj9l[l0| . Also their security was 
continuously examined [3,0,0, H, O, Q| ■ Recenth^, sin- 
gle photon QKD and entangled-state QKD [J were 
much studied because when one does not use a single 
photon most protocols have their own serious security 
holes against such eavesdropping attacks as photon num- 
ber splitting (PNS) 1^, intercept and resend (lAR) TiJ, 
and impersonation attack ;15j . However, single photon 
QKD is not economical because it is difficult to have a 
reliable single-photon source and also a photon can be 
easily lost due to imperfect channel efficiency [^. For 
this reason, the development of a secure QKD protocol 
with not-so weak coherent pulses is indispensable to real 
communication . 

Very recently, two new QKD protocols that use not- 
so- weak coherent pulses (faint laser pulse) were proposed; 
One is based on a two-wa y co mmunication without en- 
tanglement (LM protocol) [131 and the other a three-way 
communication with blind polarization [T^ . In the for- 
mer, in brief, the user "Bob" prepares a qubit in one of 
the four states of Pauli operators X and and sends 
it to his counterpart "Alice." With probability c, Alice 
measures the prepared state and, with probability 1 — c, 
she uses it to encode the message. She sends the qubit 
back to Bob. Then Bob can deterministically decode Al- 
ice's message by measuring the qubit in the same basis 
he prepared it. 

In the latter, Alice sends two randomly and inde- 
pendently polarized not-so-weak coherent pulses to Bob. 
Bob rotates the polarization of pulses with another ran- 
dom angle, shuffies it with ±j or =F^, and sends back 
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the pulses to Alice. Alice compensates her random an- 
gles, encodes a key bit, and sends one of the pulses to 
Bob after randomly blocking the other. Then Bob reads 
the polarization of the return qubit after compensating 
his random angle. When Alice publicly announces the 
blocking factor, Bob recovers the key bit. 

The security of the former protocol was examined in 
a noisy channel against a spy pulse. And it was claimed 
that the protocol is robust against the PNS attack be- 
cause of a lack of symmetry in the photon states. In the 
latter, the security of the random polarization was exam- 
ined against the PNS and the lAR attacks. And though 
it was expected that the shuffiing and random blocking 
would play a crucial role in enhancing security, the pro- 
tocol turned out insecure, particularly against the imper- 
sonation attack (l^J. So Kye and Kim modified the pro- 
tocol by randomly and independently shuf fling the qubit 
polarization with or — 2. (KK protocol) f2(J| . 

However, we are still doubtful about the security of 
both the LM and the KK protocols. To use them in prac- 
tice, the security must be rigorously examined. So we 
develop new sophisticated eavesdropping atjtacks using a 
Hong-Ou-Mandel interferometer (HOMI) 21], which are 
the most advanced ones against these type QKD proto- 
cols. In this Letter, first, we introduce the new attacks 
to show the security holes of the LM and the KK pro- 
tocols. Next, we propose a new QKD protocol that uses 
not-so-weak coherent pulses. Last, we prove the security 
of our protocol against the attacks that we introduce. 

We introduce the PNS attack with a HOMI to examine 
the security of the LM protocol. The attack procedure is 
like this. When a not-so-weak coherent pulse is used in 
a lossy channel, an eavesdropper Eve replaces the lossy 
channel with a perfect one and splits out photons from 
the forward and the backward path. Then Eve measures 
the interference between the split photons from both the 
paths with a HOMI. If interference appears, the coding 
is "0"; if not, it is "1." Thus Eve obtains the key bit 
regardless of the lack of symmetry. 

For the security of the KK protocol, we now intro- 
duce a new impersonation attack with a HOMI. When 



2 



Eve has a HOMI in her superiority, she can easily attack 
the protocol even though the shuffling method is modi- 
fled to block up an impersonation attack. The procedure 
is as follows: (1) Eve intercepts the two qubits \ipi) — 
1^1 ) ® 1^2) from Alice to Bob, and stores them. Then Eve 
prepares two highly coherent qubits \4>'i) = \9[) jSj), 
and sends them to Bob. (2) When the qubits are back 
from Bob, Eve compensates her random angles (let the 
compensated qubits be l^*)), splits out one photon from 
both qubits of |^) and measures the angle difference with 
a HOMI. Because of the random and independent shuf- 
fling ±j, the qubits in are either parallel or orthog- 
onal: if interference occurs, the two qubit states are par- 
allel; if not, they are orthogonal. When they are parallel. 
Eve applies Uy{j) (8) Uy{j) to if not, she apphes 

Uy{-j) «i Uy{j)- She sends the qubits to Alice. (3) Eve 
measures the pre-key bit after intercepting the return 
qubit from Alice, and estimates the key bit according to 
the blocking factor. She applies the estimated key bit to 
one of the qubits of j'l') depending on the blocking fac- 
tor and sends the chosen qubit to Bob. (4) When Alice 
publicly announces the blocking factor. Eve recovers the 
key bit. 

In this attack, let us consider the case that the two 
qubits in |^) are parallel. In (3), the qubit state, in 
Eve's measurement, is either |0) or |-|), since Eve ap- 
plies Uy{j) ® Uy{j) to \ipi). Then Eve obtains the key 
bit regardless of the blocking factor. After the measure- 
ment. Eve applies Uy{{—^)''j) to any of the qubits in 
5*) depending on her measurement, and sends it to Bob 
without revealing her presence in the channel. When the 
two qubits in j^*) are orthogonal, Zhang's attack proto- 
col [l^ is valid. Thus Eve can attack the KK protocol 
perfectly. 

Protocol. — To block up the impersonation attack 
with a HOMI and to use not-so-weak coherent pulses, we 
adopt the basic idea of the BB84 protocol, which is to 
use the four photon states of 0, ^, and ±j polarization. 
The four states can be written as (-l)"f -h{(-l)'' + l}f , 
where s is the random polarization shuffling and r is the 
random basis shuffling. Here the basis shuffling plays 
a crucial role in blocking up the impersonation attack. 
Our new protocol with random basis shuffling proceeds 
as follows: 

(P.l) Alice sends two qubits of 1-01) = \0i) (g) \92) = 
®l=i \0b) to Bob. 

(P.2) After receiving I^Ai), Bob applies a unitary opera- 
tor {g)^^^ Uy{(j) + (-1)^"! + {(-l)'^" + l}f ) where 
Sb = {0, 1} and = {0, 1} are the independent 
random numbers to shuffle the photon state and 
the polarization basis, respectively. He returns the 
qubits 1-02) to Alice. 

(P.3) On receiving 1-02), Alice apphes 0^^iC/y(— + 
+ {{-1)P» + l}f), where h S {0,1} is 
the key bit and pi, G {0, 1} is Alice's basis shuffling 



parameter. She block one of the qubits and sends 
the other |-03) to Bob. 

(P.4) When arrives. Bob compensates his random 
angle with — 0, divides the qubit into two with 
a 50 percent beam splitter, and measures each pre- 
key bit on the | ± f ) and the |0) and ^) bases. He 
stores the pre-key bit. 

(P.5) After repeating the procedure from (M.l) to (M.4) 
A^-times, Alice publicly announces h and pb- Then 
Bob decodes the original key bit. 

(P.6) When Eve misses the key bit because of the divi- 
sion of the return qubit, Bob publicly announces on 
which turns qubits have been missed in measure- 
ment. Then Alice and Bob repeat the procedure 
from (M.l) to (M.5) for the missed key bit until 
the full key bit stream is generated. 

(P. 7) In order to verify the integrity of the shared keys, 
Alice and Bob evaluate the hash values, ha — 
H{ka) and /if, — H{kh), where ka and fcf, are Alice's 
and Bob's shared keys, respectively. Then they ex- 
change and compare them. If ha = hb, they keep 
the shared keys, otherwise, they abolish the keys. 

In this protocol, the efflciency of key distribution de- 
pends on the number of photons of j^a)- The efficiency is 
1 — 1/2" for an n-photon qubit. If one wants to increase 
the efflciency, (s)he can slightly modify the protocol like 
this. In (M.4) Bob stores the return qubit j^a) in a quan- 
tum storage like a fiber and publicly announces to Alice 
his reception of the qubit. Then when Alice announces 
b and pb. Bob decodes the original key bit by measuring 
the polarization of the stored qubit. 

Now, we focus on the security against the imperson- 
ation attack, since it was proved that a protocol using 
random angle polarization is secure against the PNS and 
the lAR attacks [Tsj . 

Attack-1. — We suppose that the superior Eve knows 
the angle difference of the two qubits in j^*} and the pre- 
key bit exactly. Then the attack procedure is as follows: 

(A.l) After (P.l), Eve intercepts and stores and 
sends ^ 06=1 K) to Bob. 

(A. 2) After (P.2), Eve intercepts 1^2) and compen- 
sates her random angle with —6*^. Then Eve has 14") = 

0L1 \i(t> + (-l)'"! + {(-1)'''' + l}f ))• Eve splits out a 
few photons from both pulses of Ivf} and stores the rest. 
Then Eve measures the angle difference of the split pho- 
tons with a HOMI. There are three cases of results: first, 
on complete non-interference the angle difference of the 
two pulses is ^; second, on complete interference it is 
0; and third, on partial interference it is 7r/4. On each 
case. Eve applies Uy{j) 8) Uy{-j), Uy{j) Uy{j), and 
Uyij) "Xi Uy{0) to 1-01), respectively. And Eve sends IV'I) 
to Alice, where the superscript e implies Eve's action to 
Alice's qubits. 
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FIG. 1: The probability of Eve's estimation depending on the 
photon number: Line A is the pre-key bit estimation with the 
use of POVM, and Line B is the angle difference and sequence 
estimation with a HOML 



(A. 3) After (P.3), Eve measures the pre-key bit from 
I ■(/'I), estimates Alice's unitary operation depending on 
h from the pre-key bit, chooses one qubit of |^), and 
applies the unitary operator that she has estimated. 

In order to show the security of our new protocol, we 
consider the case that Bob applies a unitary operator 
lJy{<\)) ® Uy{(j) + f )■ In (A. 2), on receiving the qubits. 
Eve compensates her random angles. Then the qubit 
state becomes 1^") = \(j>) + f ). Suppose that Eve 

applies Uyij)^ Uy{0) to the qubits and returns the 
qubits IV'I) to Alice, since she does not know the sequence 
of the qubits. She can measure only the angle difference 
with a HOMI. Also suppose that, on receiving the qubits, 
Alice compensates her random angles, blocks the second 
qubit, rotates the first by j, and sends the first to Bob. 
Then the parameters of the qubit are b — 1, fci = 0, and 
Pi = 1. Eve intercepts the return qubit jV'f) and mea- 
sures the polarization of the qubit that is ^ . Here Eve 
must estimate the rotation angle depending on b. When 
Eve chooses 6=2, the rotation angle is ^. Then the 
parameters that Eve estimates are ^2 = and P2 — 0. 
Eve rotates the second qubit of j^*) by and sends it to 
Bob. Then Bob's pre-key bit is ||7r) = -f ). When Alice 
announces b and pb, Bob recovers the key bit as fc = 1. 
When Eve chooses 6=1, Bob's key bit is fc = 0. Whether 
the angle difference of the two qubits in I'if) is ^ or 0, 
there is no error, whatever the sequence of the qubits in 
'f) is. Bob's wrong recovery is caused by Eve's wrong 
choice of the sequence when the polarization difference 
between the two qubits in \'^) is j. Owing to the possi- 
bility of the J angle difference, sequence mismatch, and 
wrong choice of b, Bob's error rate is 12.5 percent. This 
means our new protocol is secure against Eve's imperson- 
ation attack, even when she knows the angle difference 
between the two qubits in \^!) and the pre-key bit. 



Attack-2. — When Eve knows not only the pre-key 
bit but also the angle difference and the sequence of the 
two qubits in she can recover the key bit completely 
without Bob's recognition. However, a measurement of 
all of them is not easy in practice because of the lim- 
ited number of photons. To estimate the number of 
photons for the security of our new protocol, first, we 
consider Eve's attack on the pre-key bit with the posi- 
tive operator- valued measurement (POVM) In this 
measurement, when we consider one of the four photon 
states and N identical copies of the state, we can obtain 
the probability of Eve's estimation of the pre-key bit de- 
pending on the number of photons. According to ref. |22l| . 
the probability is P(iV)£; = 1 - (l/2)[(^-i)/2l, where [ • ] 
is the rounding to the closest lower integer. Line A in Fig. 
1 shows about 95 percent accuracy for N = 10. 

Next, we consider Eve's attack on the angle difference 
and the sequence between the two qubits in I^P). Suppose 
that Eve replaces the lossy second and third channels 
with perfect ones and that she has perfect technology to 
split a certain number of photons from both the qubits, 
although this is far beyond today's technology. Eve splits 
out the same number of photons from both the qubits in 
4'} in consideration of the channel efficiency. She picks 
out one photon from N photons split from the first qubit 
(let it be Ti and the others T2), and picks out one photon 
from N photons split from the second qubit (let it be Ri 
and the others i?2)- From the interference between T2 
and i?2, Eve measures the angle difference between the 
two qubits in j^*} using the method in (A. 2). When T2 
and i?2 give rise to partial interference, the angle differ- 
ence is 7r/4. Then Eve rotates Ti by 7r/4 and measures 
the interference between Ti and When she observes 
interference, the angle of the first qubit to the second 
one is — J, while with no- interference it is ^. Then Eve 
knows the sequence of the qubits for the 7r/4 angle dif- 
ference. In the case of partial interference between T2 
and i?2, let us assume that j photons make interference 
while N —l—j photons give rise to no interference. Then 
the probability of Eve's estimation for the partial inter- 
ference is ^jv^-i ^^=1 Cj^) ■ other cases of com- 
plete interference and no interference. Eve regards that 
the photon states of T2 and R2 are parallel and orthog- 
onal, respectively. Then Eve's probability for the esti- 
mation of the angle difference and the sequence of j^*) is 
P{N)e = ^ + 2^ 'EfJi^ (^7^)) because of the probabil- 
ity of the 7r/4 angle difference. 

Line B in Fig. 1 is the probability of Eve's estima- 
tion for the angle difference and the sequence of the two 
qubits in j^*) depending on the number of split photons. 
When Eve splits out 5 photons from each qubit she can 
measure both the angle difference and the sequence of 
the two qubits with about 93 percent accuracy. Lines A 
and B in Fig. 1 show that the estimation of the pre-key 
bit of I "03) is less efficient than that of the angle difference 
and the sequence of the two qubits in I^P), even when the 
channel efficiency is considered. When we consider that 
the qubits of \'^) are at Eve's mercy, we can understand 
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that most of the errors by Eve can occur in the measure- 
ment of the pre-key bit due to the basis shuffling. So the 
basis shuffling is decisive in blocking up Eve's attack. 

Attack-3. — Another instance of the impersonation at- 
tack in our new protocol is the attack on b and the photon 
state of IV'D- In this attack, Eve applies Uyi'^) (S> Uy{0) 
to l^/^i) in (A. 2) and sends jV'l) to Alice. Since Alice ap- 
plies a key bit and basis shuffling, after she compensates 
her random angle with —9^, the qubit state li/j^) in (A. 3) 
is one of the four states (1 -I- 2n)7r/8 for the first qubit 
or one of the four states 2mr/8 for the second, where 
n = 0,1,2,3. Then by measuring the qubit state with 
POVM, Eve can obtain b and k (B Pb- Depending on b, 
Eve apphes k(BPb to the 6-th qubit of and sends the 
qubit to Bob. When Alice publicly announces b and pb, 
Eve recovers the key bit. 

In this attack protocol, Eve should measure the return 
qubit state with POVM among eight states. We can 
intuitively understand that the photon state estimation 
with POVM among eight states is less efficient than that 
of among four states, since POVM for eight states needs 
at least 7 photons j22|. The attack on the pre-key bit is 
more serious than the attack on b. Eve can also attack 
b by counting the number of photons of the two pulses 
|19l |. To block up this attack, in (P.3), the number of 
the photons of the returning pulse should be randomly 
reduced to be less than either of the photon numbers of 
the two received pulses. 

Attack-4- — Eve can add an invisible spy pulse, whose 
wavelength is different from that of Alice's qubits [23^ . 
The removal of this spy pulse is so trivial when Alice 
uses a commercial band-pass filter, a spectrometer, and 



a Fabry-Perot interferometer. To block up this kind of 
attack, the use of quasi-monochromatic photons is cru- 
cial. For another instance, Eve can add a spy pulse with 
time delay to the original qubits. Alice and Bob can eas- 
ily remove this spy pulse with an optical switcher. Alice 
and Bob can also recognize the spy pulse by randomly 
measuring the pulse intensity. 

In conclusion, we have shown that the LM and the KK 
protocols are vulnerable to sophisticated eavestropping 
attacks with a Hong-Ou-Mandel interferometer. The LM 
protocol is insecure against the PNS attack with a HOMI 
and the KK protocol against the impersonation attacks 
with a HOMI. These atacks are effective to these pro- 
tocols. To overcome these attacks, we have proposed a 
new protocol with basis shuffling as an altenative. In the 
three-way communication ptotocol, when both the po- 
larization basis and the photon state arc randomly and 
independently shuffled, the protocol with random polar- 
ization becomes robust against not only the PNS and 
the lAR attacks but also the sophisticated impersonation 
attacks with a HOMI, even with not-so-weak coherent 
state pulses. As we have shown, the number of photons 
of Alice's qubits is very important in blocking up the 
impersonation attacks. This new QKD protocol can be 
applicable to real communication because of the merit of 
robustness and the use of not-so-weak coherent pulses. 
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